draft-ietf-httpbis-rfc6265bis-01.txt   draft-ietf-httpbis-rfc6265bis-latest.txt 
HTTP Working Group A. Barth HTTP Working Group A. Barth
Internet-Draft M. West Internet-Draft M. West
Obsoletes: 6265 (if approved) Google, Inc Obsoletes: 6265 (if approved) Google, Inc
Intended status: Standards Track April 25, 2017 Intended status: Standards Track May 22, 2017
Expires: October 27, 2017 Expires: November 23, 2017
HTTP State Management Mechanism HTTP State Management Mechanism
draft-ietf-httpbis-rfc6265bis-01 draft-ietf-httpbis-rfc6265bis-latest
Abstract Abstract
This document defines the HTTP Cookie and Set-Cookie header fields. This document defines the HTTP Cookie and Set-Cookie header fields.
These header fields can be used by HTTP servers to store state These header fields can be used by HTTP servers to store state
(called cookies) at HTTP user agents, letting the servers maintain a (called cookies) at HTTP user agents, letting the servers maintain a
stateful session over the mostly stateless HTTP protocol. Although stateful session over the mostly stateless HTTP protocol. Although
cookies have many historical infelicities that degrade their security cookies have many historical infelicities that degrade their security
and privacy, the Cookie and Set-Cookie header fields are widely used and privacy, the Cookie and Set-Cookie header fields are widely used
on the Internet. This document obsoletes RFC 2965. on the Internet. This document obsoletes RFC 6265.
Note to Readers Note to Readers
Discussion of this draft takes place on the HTTP working group Discussion of this draft takes place on the HTTP working group
mailing list (ietf-http-wg@w3.org), which is archived at mailing list (ietf-http-wg@w3.org), which is archived at
https://lists.w3.org/Archives/Public/ietf-http-wg/ . https://lists.w3.org/Archives/Public/ietf-http-wg/ .
Working Group information can be found at http://httpwg.github.io/ ; Working Group information can be found at http://httpwg.github.io/ ;
source code and issues list for this draft can be found at source code and issues list for this draft can be found at
https://github.com/httpwg/http-extensions/labels/6265bis . https://github.com/httpwg/http-extensions/labels/6265bis .
skipping to change at page 1, line 47 skipping to change at page 1, line 47
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 27, 2017. This Internet-Draft will expire on November 23, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 35 skipping to change at page 2, line 35
Without obtaining an adequate license from the person(s) controlling Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other it for publication as an RFC or to translate it into languages other
than English. than English.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 5 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1. Conformance Criteria . . . . . . . . . . . . . . . . . . 5 2.1. Conformance Criteria . . . . . . . . . . . . . . . . . . 4
2.2. Syntax Notation . . . . . . . . . . . . . . . . . . . . . 5 2.2. Syntax Notation . . . . . . . . . . . . . . . . . . . . . 5
2.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6 2.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5
3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.1. Examples . . . . . . . . . . . . . . . . . . . . . . . . 7 3.1. Examples . . . . . . . . . . . . . . . . . . . . . . . . 6
4. Server Requirements . . . . . . . . . . . . . . . . . . . . . 8 4. Server Requirements . . . . . . . . . . . . . . . . . . . . . 8
4.1. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 9 4.1. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 8
4.1.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . 9 4.1.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . 8
4.1.2. Semantics (Non-Normative) . . . . . . . . . . . . . . 10 4.1.2. Semantics (Non-Normative) . . . . . . . . . . . . . . 10
4.1.3. Cookie Name Prefixes . . . . . . . . . . . . . . . . 13 4.1.3. Cookie Name Prefixes . . . . . . . . . . . . . . . . 13
4.2. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 14 4.2. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 14
4.2.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . 14 4.2.1. Syntax . . . . . . . . . . . . . . . . . . . . . . . 14
4.2.2. Semantics . . . . . . . . . . . . . . . . . . . . . . 14 4.2.2. Semantics . . . . . . . . . . . . . . . . . . . . . . 14
5. User Agent Requirements . . . . . . . . . . . . . . . . . . . 15 5. User Agent Requirements . . . . . . . . . . . . . . . . . . . 15
5.1. Subcomponent Algorithms . . . . . . . . . . . . . . . . . 15 5.1. Subcomponent Algorithms . . . . . . . . . . . . . . . . . 15
5.1.1. Dates . . . . . . . . . . . . . . . . . . . . . . . . 15 5.1.1. Dates . . . . . . . . . . . . . . . . . . . . . . . . 15
5.1.2. Canonicalized Host Names . . . . . . . . . . . . . . 17 5.1.2. Canonicalized Host Names . . . . . . . . . . . . . . 17
5.1.3. Domain Matching . . . . . . . . . . . . . . . . . . . 18 5.1.3. Domain Matching . . . . . . . . . . . . . . . . . . . 17
5.1.4. Paths and Path-Match . . . . . . . . . . . . . . . . 18 5.1.4. Paths and Path-Match . . . . . . . . . . . . . . . . 18
5.2. The Set-Cookie Header . . . . . . . . . . . . . . . . . . 19 5.2. The Set-Cookie Header . . . . . . . . . . . . . . . . . . 18
5.2.1. The Expires Attribute . . . . . . . . . . . . . . . . 21 5.2.1. The Expires Attribute . . . . . . . . . . . . . . . . 21
5.2.2. The Max-Age Attribute . . . . . . . . . . . . . . . . 21 5.2.2. The Max-Age Attribute . . . . . . . . . . . . . . . . 21
5.2.3. The Domain Attribute . . . . . . . . . . . . . . . . 22 5.2.3. The Domain Attribute . . . . . . . . . . . . . . . . 21
5.2.4. The Path Attribute . . . . . . . . . . . . . . . . . 22 5.2.4. The Path Attribute . . . . . . . . . . . . . . . . . 22
5.2.5. The Secure Attribute . . . . . . . . . . . . . . . . 23 5.2.5. The Secure Attribute . . . . . . . . . . . . . . . . 22
5.2.6. The HttpOnly Attribute . . . . . . . . . . . . . . . 23 5.2.6. The HttpOnly Attribute . . . . . . . . . . . . . . . 22
5.3. Storage Model . . . . . . . . . . . . . . . . . . . . . . 23 5.3. Storage Model . . . . . . . . . . . . . . . . . . . . . . 23
5.4. The Cookie Header . . . . . . . . . . . . . . . . . . . . 27 5.4. The Cookie Header . . . . . . . . . . . . . . . . . . . . 27
6. Implementation Considerations . . . . . . . . . . . . . . . . 29 6. Implementation Considerations . . . . . . . . . . . . . . . . 29
6.1. Limits . . . . . . . . . . . . . . . . . . . . . . . . . 29 6.1. Limits . . . . . . . . . . . . . . . . . . . . . . . . . 29
6.2. Application Programming Interfaces . . . . . . . . . . . 29 6.2. Application Programming Interfaces . . . . . . . . . . . 29
6.3. IDNA Dependency and Migration . . . . . . . . . . . . . . 30 6.3. IDNA Dependency and Migration . . . . . . . . . . . . . . 30
7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 30 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 30
7.1. Third-Party Cookies . . . . . . . . . . . . . . . . . . . 30 7.1. Third-Party Cookies . . . . . . . . . . . . . . . . . . . 30
7.2. User Controls . . . . . . . . . . . . . . . . . . . . . . 31 7.2. User Controls . . . . . . . . . . . . . . . . . . . . . . 31
7.3. Expiration Dates . . . . . . . . . . . . . . . . . . . . 31 7.3. Expiration Dates . . . . . . . . . . . . . . . . . . . . 31
8. Security Considerations . . . . . . . . . . . . . . . . . . . 32 8. Security Considerations . . . . . . . . . . . . . . . . . . . 31
8.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 32 8.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 31
8.2. Ambient Authority . . . . . . . . . . . . . . . . . . . . 32 8.2. Ambient Authority . . . . . . . . . . . . . . . . . . . . 32
8.3. Clear Text . . . . . . . . . . . . . . . . . . . . . . . 33 8.3. Clear Text . . . . . . . . . . . . . . . . . . . . . . . 32
8.4. Session Identifiers . . . . . . . . . . . . . . . . . . . 33 8.4. Session Identifiers . . . . . . . . . . . . . . . . . . . 33
8.5. Weak Confidentiality . . . . . . . . . . . . . . . . . . 34 8.5. Weak Confidentiality . . . . . . . . . . . . . . . . . . 34
8.6. Weak Integrity . . . . . . . . . . . . . . . . . . . . . 35 8.6. Weak Integrity . . . . . . . . . . . . . . . . . . . . . 34
8.7. Reliance on DNS . . . . . . . . . . . . . . . . . . . . . 35 8.7. Reliance on DNS . . . . . . . . . . . . . . . . . . . . . 35
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 36 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 35
9.1. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 36 9.1. Cookie . . . . . . . . . . . . . . . . . . . . . . . . . 36
9.2. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 36 9.2. Set-Cookie . . . . . . . . . . . . . . . . . . . . . . . 36
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 36 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 36
10.1. Normative References . . . . . . . . . . . . . . . . . . 36 10.1. Normative References . . . . . . . . . . . . . . . . . . 36
10.2. Informative References . . . . . . . . . . . . . . . . . 37 10.2. Informative References . . . . . . . . . . . . . . . . . 37
Appendix A. Changes . . . . . . . . . . . . . . . . . . . . . . 39 Appendix A. Changes . . . . . . . . . . . . . . . . . . . . . . 38
A.1. draft-ietf-httpbis-rfc6265bis-00 . . . . . . . . . . . . 39 A.1. draft-ietf-httpbis-rfc6265bis-00 . . . . . . . . . . . . 38
A.2. draft-ietf-httpbis-rfc6265bis-01 . . . . . . . . . . . . 39 A.2. draft-ietf-httpbis-rfc6265bis-01 . . . . . . . . . . . . 38
Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 40 A.3. draft-ietf-httpbis-rfc6265bis-02 . . . . . . . . . . . . 39
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 40 Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 39
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 39
1. Introduction 1. Introduction
This document defines the HTTP Cookie and Set-Cookie header fields. This document defines the HTTP Cookie and Set-Cookie header fields.
Using the Set-Cookie header field, an HTTP server can pass name/value Using the Set-Cookie header field, an HTTP server can pass name/value
pairs and associated metadata (called cookies) to a user agent. When pairs and associated metadata (called cookies) to a user agent. When
the user agent makes subsequent requests to the server, the user the user agent makes subsequent requests to the server, the user
agent uses the metadata and other information to determine whether to agent uses the metadata and other information to determine whether to
return the name/value pairs in the Cookie header. return the name/value pairs in the Cookie header.
skipping to change at page 4, line 44 skipping to change at page 4, line 44
they are actually used on the Internet. In particular, this document they are actually used on the Internet. In particular, this document
does not create new syntax or semantics beyond those in use today. does not create new syntax or semantics beyond those in use today.
The recommendations for cookie generation provided in Section 4 The recommendations for cookie generation provided in Section 4
represent a preferred subset of current server behavior, and even the represent a preferred subset of current server behavior, and even the
more liberal cookie processing algorithm provided in Section 5 does more liberal cookie processing algorithm provided in Section 5 does
not recommend all of the syntactic and semantic variations in use not recommend all of the syntactic and semantic variations in use
today. Where some existing software differs from the recommended today. Where some existing software differs from the recommended
protocol in significant ways, the document contains a note explaining protocol in significant ways, the document contains a note explaining
the difference. the difference.
Prior to this document, there were at least three descriptions of This document obsoletes [RFC6265].
cookies: the so-called "Netscape cookie specification" [Netscape],
RFC 2109 [RFC2109], and RFC 2965 [RFC2965]. However, none of these
documents describe how the Cookie and Set-Cookie headers are actually
used on the Internet (see [Kri2001] for historical context). In
relation to previous IETF specifications of HTTP state management
mechanisms, this document requests the following actions:
1. Change the status of [RFC2109] to Historic (it has already been
obsoleted by [RFC2965]).
2. Change the status of [RFC2965] to Historic.
3. Indicate that [RFC2965] has been obsoleted by this document.
In particular, in moving RFC 2965 to Historic and obsoleting it, this
document deprecates the use of the Cookie2 and Set-Cookie2 header
fields.
2. Conventions 2. Conventions
2.1. Conformance Criteria 2.1. Conformance Criteria
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
Requirements phrased in the imperative as part of algorithms (such as Requirements phrased in the imperative as part of algorithms (such as
skipping to change at page 13, line 18 skipping to change at page 13, line 11
requests. In particular, the attribute instructs the user agent to requests. In particular, the attribute instructs the user agent to
omit the cookie when providing access to cookies via "non-HTTP" APIs omit the cookie when providing access to cookies via "non-HTTP" APIs
(such as a web browser API that exposes cookies to scripts). (such as a web browser API that exposes cookies to scripts).
Note that the HttpOnly attribute is independent of the Secure Note that the HttpOnly attribute is independent of the Secure
attribute: a cookie can have both the HttpOnly and the Secure attribute: a cookie can have both the HttpOnly and the Secure
attribute. attribute.
4.1.3. Cookie Name Prefixes 4.1.3. Cookie Name Prefixes
Section 8.5 and 8.6 of this document spell out some of the drawbacks Section 8.5 and Section 8.6 of this document spell out some of the
of cookies' historical implementation. In particular, it is drawbacks of cookies' historical implementation. In particular, it
impossible for a server to have confidence that a given cookie was is impossible for a server to have confidence that a given cookie was
set with a particular set of attributes. In order to provide such set with a particular set of attributes. In order to provide such
confidence in a backwards-compatible way, two common sets of confidence in a backwards-compatible way, two common sets of
requirements can be inferred from the first few characters of the requirements can be inferred from the first few characters of the
cookie's name. cookie's name.
The normative requirements for the prefixes described below are The normative requirements for the prefixes described below are
detailed in the storage model algorithm defined in Section 5.3. detailed in the storage model algorithm defined in Section 5.3.
4.1.3.1. The "__Secure-" Prefix 4.1.3.1. The "__Secure-" Prefix
skipping to change at page 37, line 31 skipping to change at page 37, line 25
[RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", STD 68, RFC 5234, Specifications: ABNF", STD 68, RFC 5234,
DOI 10.17487/RFC5234, January 2008, DOI 10.17487/RFC5234, January 2008,
<http://www.rfc-editor.org/info/rfc5234>. <http://www.rfc-editor.org/info/rfc5234>.
[RFC5890] Klensin, J., "Internationalized Domain Names for [RFC5890] Klensin, J., "Internationalized Domain Names for
Applications (IDNA): Definitions and Document Framework", Applications (IDNA): Definitions and Document Framework",
RFC 5890, DOI 10.17487/RFC5890, August 2010, RFC 5890, DOI 10.17487/RFC5890, August 2010,
<http://www.rfc-editor.org/info/rfc5890>. <http://www.rfc-editor.org/info/rfc5890>.
[USASCII] Institute, A., "Coded Character Set -- 7-bit American [USASCII] American National Standards Institute, "Coded Character
Standard Code for Information Interchange", 1986, <ANSI Set -- 7-bit American Standard Code for Information
X3.4>. Interchange", ANSI X3.4, 1986.
10.2. Informative References 10.2. Informative References
[Aggarwal2010] [Aggarwal2010]
Aggarwal, G., Burzstein, E., Jackson, C., and D. Boneh, Aggarwal, G., Burzstein, E., Jackson, C., and D. Boneh,
"An Analysis of Private Browsing Modes in Modern "An Analysis of Private Browsing Modes in Modern
Browsers", 2010, Browsers", 2010,
<http://www.usenix.org/events/sec10/tech/full_papers/ <http://www.usenix.org/events/sec10/tech/full_papers/
Aggarwal.pdf>. Aggarwal.pdf>.
[CSRF] Barth, A., Jackson, C., and J. Mitchell, "Robust Defenses [CSRF] Barth, A., Jackson, C., and J. Mitchell, "Robust Defenses
for Cross-Site Request Forgery", 2008, for Cross-Site Request Forgery", 2008,
<http://portal.acm.org/citation.cfm?id=1455770.1455782>. <http://portal.acm.org/citation.cfm?id=1455770.1455782>.
[draft-ietf-httpbis-cookie-alone] [I-D.ietf-httpbis-cookie-alone]
West, M., "Deprecate modification of 'secure' cookies from West, M., "Deprecate modification of 'secure' cookies from
non-secure origins", September 2016, non-secure origins", draft-ietf-httpbis-cookie-alone-01
<https://tools.ietf.org/html/draft-ietf-httpbis-cookie- (work in progress), September 2016.
alone-01>.
[draft-ietf-httpbis-cookie-prefixes]
West, M., "Cookie Prefixes", February 2016,
<https://tools.ietf.org/html/draft-ietf-httpbis-cookie-
prefixes-00>.
[Kri2001] Kristol, D., "HTTP Cookies: Standards, Privacy, and
Politics", ACM ACM Transactions on Internet Technology
Vol. 1, #2, November 2001,
<http://arxiv.org/abs/cs.SE/0105018>.
[Netscape]
Corp., N., "Persistent Client State -- HTTP Cookies",
1999, <http://web.archive.org/web/20020803110822/http://wp
.netscape.com/newsref/std/cookie_spec.html>.
[RFC2109] Kristol, D. and L. Montulli, "HTTP State Management [I-D.ietf-httpbis-cookie-prefixes]
Mechanism", RFC 2109, DOI 10.17487/RFC2109, February 1997, West, M., "Cookie Prefixes", draft-ietf-httpbis-cookie-
<http://www.rfc-editor.org/info/rfc2109>. prefixes-00 (work in progress), February 2016.
[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818,
DOI 10.17487/RFC2818, May 2000, DOI 10.17487/RFC2818, May 2000,
<http://www.rfc-editor.org/info/rfc2818>. <http://www.rfc-editor.org/info/rfc2818>.
[RFC2965] Kristol, D. and L. Montulli, "HTTP State Management
Mechanism", RFC 2965, DOI 10.17487/RFC2965, October 2000,
<http://www.rfc-editor.org/info/rfc2965>.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, November
2003, <http://www.rfc-editor.org/info/rfc3629>. 2003, <http://www.rfc-editor.org/info/rfc3629>.
[RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration [RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration
Procedures for Message Header Fields", BCP 90, RFC 3864, Procedures for Message Header Fields", BCP 90, RFC 3864,
DOI 10.17487/RFC3864, September 2004, DOI 10.17487/RFC3864, September 2004,
<http://www.rfc-editor.org/info/rfc3864>. <http://www.rfc-editor.org/info/rfc3864>.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
skipping to change at page 39, line 41 skipping to change at page 39, line 14
* https://github.com/httpwg/http-extensions/issues/246 * https://github.com/httpwg/http-extensions/issues/246
o Addresses errata 3444 by updating the "path-value" and "extension- o Addresses errata 3444 by updating the "path-value" and "extension-
av" grammar, errata 4148 by updating the "day-of-month", "year", av" grammar, errata 4148 by updating the "day-of-month", "year",
and "time" grammar, and errata 3663 by adding the requested note. and "time" grammar, and errata 3663 by adding the requested note.
https://www.rfc-editor.org/errata_search.php?rfc=6265 https://www.rfc-editor.org/errata_search.php?rfc=6265
o Dropped "Cookie2" and "Set-Cookie2" from the IANA Considerations o Dropped "Cookie2" and "Set-Cookie2" from the IANA Considerations
section: https://github.com/httpwg/http-extensions/issues/247 section: https://github.com/httpwg/http-extensions/issues/247
o Merged the recommendations from [draft-ietf-httpbis-cookie-alone], o Merged the recommendations from [I-D.ietf-httpbis-cookie-alone],
removing the ability for a non-secure origin to set cookies with a removing the ability for a non-secure origin to set cookies with a
'secure' flag, and to overwrite cookies whose 'secure' flag is 'secure' flag, and to overwrite cookies whose 'secure' flag is
true. true.
o Merged the recommendations from o Merged the recommendations from
[draft-ietf-httpbis-cookie-prefixes], adding "__Secure-" and [I-D.ietf-httpbis-cookie-prefixes], adding "__Secure-" and
"__Host-" cookie name prefix processing instructions. "__Host-" cookie name prefix processing instructions.
A.3. draft-ietf-httpbis-rfc6265bis-02
o None (yet).
Appendix B. Acknowledgements Appendix B. Acknowledgements
This document is a minor update of RFC 6265, adding small features, This document is a minor update of RFC 6265, adding small features,
and aligning the specification with the reality of today's and aligning the specification with the reality of today's
deployments. Here, we're standing upon the shoulders of giants. deployments. Here, we're standing upon the shoulders of giants.
Authors' Addresses Authors' Addresses
Adam Barth Adam Barth
Google, Inc Google, Inc
 End of changes. 27 change blocks. 
78 lines changed or deleted 46 lines changed or added

This html diff was produced by rfcdiff 1.44jr. The latest version is available from http://tools.ietf.org/tools/rfcdiff/